Your code stays yours

Every agent runs in its own isolated sandbox — one per agent, with no shared state across customers. The container is long-lived: it boots on first use, pauses when idle to save you money, and resumes on your next request.

• One sandbox per agent. No shared agent state across customers.
• Your workspace lives on the sandbox's local disk while you work, and is snapshotted — encrypted — to private storage so an idle pause, a restart, or an eviction never loses it.
• The sandbox image is rebuilt on every release — no long-lived state baked into the image.
• GitHub stays your source of truth: the agent pushes to a feature branch and opens a PR.

GitHub sign-in currently requests read:user, user:email, and GitHub's repo OAuth scope so the app can identify you, show reachable repos, and support older repo flows. Connected-repo work uses the GitHub App whenever installed.

The GitHub App requests the minimum permissions needed to do the job. Nothing more.

• contents: write — to push to a feature branch.
• pull_requests: write — to open the PR.
• metadata: read — to look up the default branch.
• actions: read — to read CI status.

We do not request admin:repo_hook, delete:repo, admin:org, or any organization-level App permission. Personal access tokens are never accepted.

You install per-repo, not per-org. You can revoke at any time from your GitHub settings.

Outbound traffic from the sandbox is intercepted at the boundary, and the destinations an agent must never reach are blocked unconditionally: cloud-metadata endpoints (169.254.169.254, metadata.google.internal), private and internal networks (RFC1918, CGNAT, IPv6 link-local), and FlareCode's own control surfaces. This is verified, not asserted — a request to 169.254.169.254 returns 403.

Package registries (npm, pypi, crates.io), github.com, and the model provider you chose stay reachable so real work gets done. On top of the network block, the model proxy refuses to forward any prompt that embeds a URL pointing at a blocked host — so the agent can't be tricked into exfiltrating to a metadata endpoint or your internal network.

Want stricter rules than the defaults? Hookslet you add your own, enforced at these same server-side chokepoints an agent can't route around: block a prompt that leaks a secret or hits your denylist, gate which MCP servers and models an agent may call, or fire a webhook when a goal finishes. Security hooks fail closed, any secret you give a hook is encrypted at rest, and nothing runs until you add one. See the hooks docs.

Secrets your repo needs at test time (database URLs, third-party API keys for integration tests) are injected only when a request needs them. They are never written to the agent's process environment, never visible in agent reasoning, and never retained after the task ends.

Customer-side .envfiles are not read into the agent's working memory or model context.

Log streams pass through a sanitizer before anything is stored. It scrubs known secret patterns — API keys, OAuth tokens, and cloud credentials — so they never reach our logs.

Catching every secret pattern is tested on every release and treated as a top-priority issue. Logs are kept for 30 days, then deleted. They never include source code outside the diff.

Found a security issue? Email security@flarecode.shwith details and a repro. We'll respond within 48 hours.

A public bug bounty kicks in at paid GA.